You can use flow collection if continuous visibility across the entire network is needed but it is not practical (because of the network size or budget constraints) to monitor all of the traffic using probes.
Using NAM Probe flow collectors to supplement passive traffic monitoring in a distributed network
The following figure illustrates how a combination of NAM Probe flow collectors and NAM Probe passive traffic monitoring probes can be used to gain complete coverage on a large distributed network.
In a distributed network, using flow analysis is especially useful if remote sites communicate with each other without the traffic coming to a central enterprise router. Traditional hub-and-spoke networks are being replaced with meshed networks. In the hub-and-spoke model, placing a probe at the core of the network provided complete visibility to all the traffic going to all sites. With meshed networks, there is no visibility on traffic going from site to site, unless each remote site is monitored with a probe. However, placing a probe at each site may not be practical.
In such situations, to extend monitoring to the entire network, place a NAM Probe in front of key components such as data center servers and Internet gateways and then enable NetFlow on the routers at these locations (to enable capture of application traffic between remote locations) and use a NAM Probe flow collector (probably the same physical device as the probe) to receive and decode the NetFlow records.
Using NAM Probe flow collectors to supplement passive traffic monitoring within a single data center
The following figure illustrates how a NAM Probe can be used as both a passive traffic monitoring probe and as a flow collector to gain complete coverage of a large data center. Note that, while it is likely that the same physical unit will be used as both a probe and a flow collector, it is also possible to use two separate NAM Probes.
If such a scenario is used and core devices are equipped with more than two interfaces, particular care must be taken to avoid generating huge numbers of flows (thus causing duplication and heavy CPU load on the devices).
It may be that in a large data center there is no need to collect detailed traffic monitoring information from all of points of the network. Connecting probes requires following hardware maintenance procedures, which may require issuing maintenance and authorization requests, whereas arranging for flow collection over the existing network is relatively easy.
Indiscriminate monitoring of all interfaces on hot/core devices can generate very large numbers of flows and create significant CPU load on these devices. In this case CPU load monitoring is particularly important and port pairing may need to be performed to reduce the load and avoid duplication.